LNK Exploits

The LNK exploit became popular in June 2010 when Belorussian antivirus company, VirusBlokAda, found the first version of the Stuxnet worm that used a zero-day vulnerability in LNK files to infect even a fully-patched Windows 7 system.

Figure 1 - Stuxnet LNK file

The infection occurs when an icon is viewed in Windows Explorer or Total Commander negating the need for any user interaction.

The vulnerability has been denoted as MS10-046 or CVE-2010-2568. According to cve.mitre.org, the description of the vulnerability is as follows:

“Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted .LNK or .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.”

The vulnerability lies in handling .lnk files, when explorer.exe displays Control Panel shortcuts. The shortcut must be to non-system .cpl file because the system files are specified in shell32.dll and handled in a different way using a cache. The vulnerable function that loads a third-party library is in shell32.dll and called CCtrlExtIconBase::_GetIconLocationW. In turn, this function calls CPL_FindCPLInfo which leads to LoadLibraryW call for a file with an icon.

This vulnerability is becoming more popular among malware creators. Even the famous cyber weapon, Flame, discovered by Kaspersky Lab, contains the Euphoria module, which creates a .lnk file to be run.

The number of worms that use the LNK vulnerability as an alternative to the classic autorun.inf exploitation is growing from month to month. For example, the most recent .lnk files uploaded to our lab and detected as Worm.LNK.Autorun.bqj are engineered to run the following command:

Figure 2 - Worm.LNK.Autorun.bqj LNK file

The main goal of such exploitation is to provide worm functionality by spreading copies of itself through USB removable drives but rarely network resources. The growth of detected LNK files is shown on Figure 3.

Figure 3 - Received LNK samples

Conclusion

Based on these trends, we can reasonably assume that Autorun worms will be overtaken by LNK worms in the nearest future as an alternative way to distribute malware via USB removable drives.